chore: scaffold initial rust workspace#1
Conversation
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
|
Semgrep found 8
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. Semgrep found 13
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 210a3c9c75
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| components: clippy | ||
| - uses: Swatinem/rust-cache@v2 | ||
| - name: Run Clippy | ||
| run: cargo clippy --locked --all-targets --all-features -- |
There was a problem hiding this comment.
Make the lint job pass on the scaffold
This CI step currently exits non-zero because the API crate denies the full clippy::pedantic/clippy::nursery groups and the newly added code already trips denied lints, e.g. api/src/routes/health.rs::handler is async without any .await (unused_async) and api/src/routes/mod.rs::handler returns a value without #[must_use] (must_use_candidate). Since this job runs on every PR and push to main, the scaffold cannot get a green CI run until those lints are fixed or explicitly allowed.
Useful? React with 👍 / 👎.
| version = "0.1.0" | ||
| license = "MIT" | ||
| publish = false | ||
|
|
There was a problem hiding this comment.
nit. let's set up linting rules globally for the workspace
| └── secure-enclave/ # Secure enclave process | ||
| ``` | ||
|
|
||
| ## Development |
There was a problem hiding this comment.
I'd drop this section, not super helpful
| cargo test --all | ||
| ``` | ||
|
|
||
| For private repository access, install and authenticate the GitHub CLI using its |
There was a problem hiding this comment.
I don't think this is relevant right now?
| For private repository access, install and authenticate the GitHub CLI using its | ||
| [official RPM instructions](https://github.com/cli/cli/blob/trunk/docs/install_linux.md#dnf4). | ||
|
|
||
| Optionally install Codex for development on the remote host: |
There was a problem hiding this comment.
I'd also drop this, or just keep a generic you can install an agent tool like Codex or Claude in the remote host
|
|
||
| [workspace.package] | ||
| edition = "2024" | ||
| rust-version = "1.97.0" |
There was a problem hiding this comment.
let's not repeat with the rust-toolchain?
| name: Format | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 |
There was a problem hiding this comment.
please use explicit hashes for the workflow versions
| with: | ||
| components: rustfmt | ||
| - name: Check formatting | ||
| run: cargo fmt --all -- --check |
There was a problem hiding this comment.
nit. I'd run format and lint on the same one
| - uses: Swatinem/rust-cache@v2 | ||
| - name: Build debug | ||
| run: cargo build --locked --verbose | ||
| - name: Build release |
There was a problem hiding this comment.
I'm not sure building debug and release is adding much, I'd just build release, the debug version is implicitly built for tests
| - uses: EmbarkStudios/cargo-deny-action@v2 | ||
| with: | ||
| command: check ${{ matrix.checks }} | ||
| rust-version: 1.97.0 |
There was a problem hiding this comment.
I'd drop this to avoid having another source of truth for rust version
This PR sets up the initial Rust workspace for the embedding verifier.
apiandsecure-enclavecrates on Rust 1.97.0/healthroute with environment state and endpoint coverage